def test_get_sigma_rule(self):
"""Test getting sigma rule from file"""
filepath = "./data/sigma/rules/lnx_susp_zmap.yml"
rule = sigma_util.get_sigma_rule(filepath)
self.assertIsNotNone(rule)
self.assertIn("zmap", rule.get("es_query"))
self.assertIn("b793", rule.get("id"))
# temp write a file with content
with open("./data/sigma/rules/temporary.yml", "w+",
encoding='utf-8') as f:
f.write(SIGMA_MOCK_RULE_TEST4)
self.assertNotEqual(0, os.stat(f.name).st_size)
self.assertIsNotNone(f)
rule_by_file = sigma_util.get_sigma_rule(f.name)
# Test that rule from file equals rule from text
rule_by_text = sigma_util.get_sigma_rule_by_text(SIGMA_MOCK_RULE_TEST4)
self.assertEqual(rule_by_file.get('id'), rule_by_text.get('id'))
self.assertEqual(rule_by_file.get('es_query'),
rule_by_text.get('es_query'))
# clean up
os.remove(f.name)
def post(self):
"""Handles POST request to the resource.
Returns:
JSON sigma rule
"""
form = request.json
if not form:
form = request.data
content = form.get('content')
if not content:
return abort(HTTP_STATUS_CODE_BAD_REQUEST,
'Missing values from the request.')
try:
sigma_rule = ts_sigma_lib.get_sigma_rule_by_text(content)
except ValueError:
logger.error('Sigma Parsing error with the user provided rule',
exc_info=True)
abort(HTTP_STATUS_CODE_BAD_REQUEST,
'Error unable to parse the provided Sigma rule')
except NotImplementedError as exception:
logger.error(
'Sigma Parsing error: Feature in the rule provided '
' is not implemented in this backend',
exc_info=True)
abort(HTTP_STATUS_CODE_BAD_REQUEST,
'Error generating rule {0!s}'.format(exception))
except sigma_exceptions.SigmaParseError as exception:
logger.error('Sigma Parsing error: unknown error', exc_info=True)
abort(
HTTP_STATUS_CODE_BAD_REQUEST,
'Sigma parsing error generating rule with error: {0!s}'.
format(exception))
except yaml.parser.ParserError as exception:
logger.error(
'Sigma Parsing error: an invalid yml file has been provided',
exc_info=True)
abort(
HTTP_STATUS_CODE_BAD_REQUEST,
'Sigma parsing error: invalid yaml provided {0!s}'.format(
exception))
if sigma_rule is None:
abort(HTTP_STATUS_CODE_NOT_FOUND, 'No sigma was parsed')
metadata = {'parsed': True}
return jsonify({'objects': [sigma_rule], 'meta': metadata})
def test_get_rule_by_text(self):
"""Test getting sigma rule by text."""
rule = sigma_util.get_sigma_rule_by_text(MOCK_SIGMA_RULE)
self.assertIsNotNone(MOCK_SIGMA_RULE)
self.assertIsNotNone(rule)
self.assertIn('zmap', rule.get('es_query'))
self.assertIn('b793', rule.get('id'))
self.assertRaises(sigma_exceptions.SigmaParseError,
sigma_util.get_sigma_rule_by_text,
MOCK_SIGMA_RULE_ERROR1)
def test_get_rule_by_text(self):
"""Test getting sigma rule by text."""
rule = sigma_util.get_sigma_rule_by_text(SIGMA_MOCK_RULE_TEST4)
self.assertIsNotNone(SIGMA_MOCK_RULE_TEST4)
self.assertIsNotNone(rule)
self.assertEqual(
'(data_type:"windows:evtx:record" AND source_name:("Microsoft-Windows-Security-Auditing" OR "Microsoft-Windows-Eventlog") AND event_identifier:"4624" AND xml_string:"\\\\WmiPrvSE.exe")', # pylint: disable=line-too-long
rule.get("es_query"),
)
rule = sigma_util.get_sigma_rule_by_text(SIGMA_MOCK_RULE_ENDSWITH)
self.assertIsNotNone(SIGMA_MOCK_RULE_ENDSWITH)
self.assertIsNotNone(rule)
rule = sigma_util.get_sigma_rule_by_text(MOCK_SIGMA_RULE)
self.assertIsNotNone(MOCK_SIGMA_RULE)
self.assertIsNotNone(rule)
self.assertIn("zmap", rule.get("es_query"))
self.assertEqual(
'(data_type:("shell:zsh:history" OR "bash:history:command" OR "apt:history:line" OR "selinux:line") AND "apt-get install zmap")', # pylint: disable=line-too-long
rule.get("es_query"),
)
self.assertIn("b793", rule.get("id"))
with self.assertRaises(sigma_exceptions.SigmaParseError):
sigma_util.get_sigma_rule_by_text(MOCK_SIGMA_RULE_ERROR1)
self.assertIn("2020/06/26", rule.get("date"))
self.assertIsInstance(rule.get("date"), str)
rule = sigma_util.get_sigma_rule_by_text(MOCK_SIGMA_RULE_2)
self.assertIsNotNone(rule)
self.assertEqual(
'("Whitespace at" OR " beginning " OR " and extra text ")',
rule.get("es_query"),
)
rule = sigma_util.get_sigma_rule_by_text(MOCK_SIGMA_RULE_3)
self.assertIsNotNone(rule)
self.assertEqual(
'(data_type:"windows:evtx:record" AND " lorem ")',
rule.get("es_query"),
)
with self.assertRaises(NotImplementedError):
sigma_util.get_sigma_rule_by_text(COUNT_RULE_1)
rule = sigma_util.get_sigma_rule_by_text(MOCK_SIGMA_RULE_DATE_ERROR1)
self.assertIsNotNone(MOCK_SIGMA_RULE_DATE_ERROR1)
# it is actually: 'date': datetime.date(2022, 1, 10)
self.assertIsInstance(rule.get("date"), datetime.date)
self.assertIsNot("2022-01-10", rule.get("date"))
self.assertIn("dd23d2323432", rule.get("modified"))
rule = sigma_util.get_sigma_rule_by_text(MOCK_SIGMA_RULE_DOTS)
self.assertIsNotNone(MOCK_SIGMA_RULE_DOTS)
self.assertIsNotNone(rule)
self.assertEqual("67b9a11a-03ae-490a-9156-9be9900aaaaa",
rule.get("id"))
self.assertEqual(
r'("aaa:bbb" OR "ccc\:\:ddd")',
rule.get("es_query"),
)
rule = sigma_util.get_sigma_rule_by_text(
MOCK_SIGMA_RULE_STARTSWITH_ENDSWITH)
self.assertIsNotNone(MOCK_SIGMA_RULE_STARTSWITH_ENDSWITH)
self.assertIsNotNone(rule)
self.assertEqual("5d2c62fe-3cbb-47c3-88e1-88ef73503a9f",
rule.get("id"))
self.assertIn(
'event_identifier:"10" AND (xml_string:"\\\\foobar.exe" AND xml_string:"10"', # pylint: disable=line-too-long
rule.get("es_query"),
)